The National Strategy for Trusted Identities in Cyberspace (NSTIC) aims to create a framework that facilitates development of a wide array of online authentication technologies. In the process, the public/private partnership hopes to increase e-business by making online transactions more seamless and secure.

Imagine you’re at work and need to refill a prescription. Instead of logging into your drugstore’s website with a username and password, you use a “mobile token” on your smartphone to authenticate yourself on the pharmacy’s site and order the refill. You then use that same token to confirm your identity as you check your bank account balance online, pay some bills, remotely turn down the air conditioning at home, and update your frequent flyer preferences. You no longer have to remember a different password for each site, and you don’t have to share any additional personal information. That one trusted credential—the mobile token—provides secure access to these and many other sites you visit.

The secure, seamless, and privacy-enhancing authentication experience described is the vision of NSTIC, the National Strategy for Trusted Identities in Cyberspace, a presidential strategy being implemented by the private sector, in partnership with the National Institute of Standards and Technology (NIST). NSTIC has the participation of hundreds of public and private sector organizations. Those involved in NSTIC recognize that the problems associated with relying on passwords to authenticate users—passwords can be hard for individuals to remember and easy for hackers to crack—can impede online commerce, according to Carey Miller, a director with Deloitte & Touche LLP’s Security & Privacy practice. Deloitte & Touche LLP is working with the NSTIC National Program Office to support the implementation of the strategy.

“When businesses can’t serve customers online, because a consumer has forgotten her password or certain transactions are too sensitive to automate, they miss out on opportunities to interact with consumers in ways that can lower their operating costs and potentially increase their revenue,” says Miller.

Facilitating Trust, Transparency, and Commerce

Jeremy Grant, senior executive advisor for identity management at NIST, noted at a conference that the goal of NSTIC is to make online transactions easier, faster, and more secure for individuals and businesses, while enhancing consumers’ privacy. To that end, participants in a privately-led steering group have spent the past 12 to 18 months developing a framework for an “identity ecosystem.” Grant describes the identity ecosystem as “a marketplace where all Americans can choose to obtain—and businesses can easily accept—credentials, in lieu of passwords, that are secure, interoperable, privacy-enhancing, and easy to use everywhere they go online.”

Credential providers will likely play a central role in this identity ecosystem, according to Mike Wyatt, a director with Deloitte & Touche LLP’s Security & Privacy practice. These service providers are expected to offer a range of credentials—smart ID cards, digital certificates, and tokens—that individuals can use to authenticate themselves.

NSTIC also relies upon established “Fair Information Practice Principles” to govern how businesses, including credential and other service providers, can use the personally identifiable information they collect in the course of business. These principles are designed to protect consumers’ privacy, and they require companies to obtain individuals’ consent to collect, use, and disseminate their personally identifiable information (PII). They also require companies to explain to consumers how they use and maintain PII, and they limit the amount of PII companies may process, store, and require for transactions.

Miller notes that NSTIC could promote widespread adoption of these principles, which many companies have been otherwise slow to adopt. She also indicates that the “Fair Information Practice Principles” could help to reestablish whatever trust consumers may have lost in e-commerce due to the many high-profile data breaches that have occurred in recent years.

“Consumers can expect the businesses that choose to participate in NSTIC’s identity ecosystem to protect their personal information in a way that aligns with NSTIC’s guiding principles of security, privacy, interoperability, and ease of use,” she says.

In addition to standards for data use, NSTIC calls for the development of interoperable technology standards and policies to support a wide range of transactions, from commenting anonymously on a blog to reviewing one’s medical records online, according to Colin Soutar, a senior manager with Deloitte & Touche LLP’s Security & Privacy practice. These technology standards and policies would help to authoritatively authenticate individuals and provide accountability for business transactions.

Business Value

Heavily regulated industries such as health care and financial services stand to benefit from NSTIC’s framework. Miller observes that health care organizations—providers, insurers, and pharmaceutical companies—face a variety of challenges that trusted credentials could address: securing access to electronic medical records; managing massive yet fluctuating numbers of patient and provider user accounts; and governing sprawling systems and networks with varying access requirements. The credentials envisioned by NSTIC could help to confirm that only appropriate individuals access medical records and other systems, while making it easier to manage user accounts.

Miller and Wyatt advise CIOs to monitor NSTIC’s progress because the framework it proposes has the potential to reduce businesses’ risk. Organizations that can confirm consumers’ identities through a secure credential can limit the amount of personal information required for each transaction, potentially decreasing their exposure to certain types of data breaches and identity theft, they say. NSTIC’s solutions may also increase companies’ revenue and decrease their costs by allowing them to capture and automate transactions that were previously abandoned or processed manually.

“CIOs who get involved in NSTIC have the opportunity to shape a nascent initiative from a policy and technology perspective,” says Wyatt. “They may also get a first-mover advantage by deploying these new technologies and frameworks ahead of competitors.”

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.